Hi,
As discussed on the team meeting in February, I started creating a wiki page with some guidelines for avoiding security bugs [0]. The page is not finished yet, I just set out some ideas, that I will work out in the next few days. Feel free to comment, improve or add guidelines as you see fit.
[0] http://wiki.phpmyadmin.net/pma/Security_pitfalls
Hi
Dne Tue, 27 Mar 2012 22:01:05 +0200 Dieter Adriaenssens dieter.adriaenssens@gmail.com napsal(a):
As discussed on the team meeting in February, I started creating a wiki page with some guidelines for avoiding security bugs [0]. The page is not finished yet, I just set out some ideas, that I will work out in the next few days. Feel free to comment, improve or add guidelines as you see fit.
Thanks, looks great so far!
Le 2012-03-28 04:53, Michal Čihař a écrit :
Hi
Dne Tue, 27 Mar 2012 22:01:05 +0200 Dieter Adriaenssens dieter.adriaenssens@gmail.com napsal(a):
As discussed on the team meeting in February, I started creating a wiki page with some guidelines for avoiding security bugs [0]. The page is not finished yet, I just set out some ideas, that I will work out in the next few days. Feel free to comment, improve or add guidelines as you see fit.
Thanks, looks great so far!
Yes, thanks. I'm wondering, are there places where we really use htmlentities() for protection?
Also I think we should talk about PMA_sanitize().
Op 28 maart 2012 14:37 heeft Marc Delisle marc@infomarc.info het volgende geschreven:
Le 2012-03-28 04:53, Michal Čihař a écrit :
Hi
Dne Tue, 27 Mar 2012 22:01:05 +0200 Dieter Adriaenssens dieter.adriaenssens@gmail.com napsal(a):
As discussed on the team meeting in February, I started creating a wiki page with some guidelines for avoiding security bugs [0]. The page is not finished yet, I just set out some ideas, that I will work out in the next few days. Feel free to comment, improve or add guidelines as you see fit.
Thanks, looks great so far!
Yes, thanks. I'm wondering, are there places where we really use htmlentities() for protection?
htmlentities() is not much used (see lower), shall we replace them all by htmlspecialchars and drop the htmlentities() from the guidelines?
Using htmlspecialchars() is sufficient to protect against XSS (and possibly messing up of the html structure), htmlentities() just converts more characters into their HTML character entity equivalents (for example ü will become ü)
Current occurences of escaping/sanitizing functions in PMA codebase:
htmlentities() : 51 htmlspecialchars() : 1041 PMA_sanitize() : 40 PMA_sanitize_file() : 3
Also I think we should talk about PMA_sanitize().
Yes, but it should not be used in all cases?
Le 2012-03-31 11:02, Dieter Adriaenssens a écrit :
Op 28 maart 2012 14:37 heeft Marc Delisle marc@infomarc.info het volgende geschreven:
Le 2012-03-28 04:53, Michal Čihař a écrit :
Hi
Dne Tue, 27 Mar 2012 22:01:05 +0200 Dieter Adriaenssens dieter.adriaenssens@gmail.com napsal(a):
As discussed on the team meeting in February, I started creating a wiki page with some guidelines for avoiding security bugs [0]. The page is not finished yet, I just set out some ideas, that I will work out in the next few days. Feel free to comment, improve or add guidelines as you see fit.
Thanks, looks great so far!
Yes, thanks. I'm wondering, are there places where we really use htmlentities() for protection?
htmlentities() is not much used (see lower), shall we replace them all by htmlspecialchars and drop the htmlentities() from the guidelines?
It would be more prudent to have a look at them, one by one, and see their exact purpose.
Anyway, some of them are under libraries/tcpdf and some under /test.
In the PHP Architect guide to PHP security by one of the PHP core developers, I checked the chapter about XSS. I could not find a suggestion to use htmlentities(); however, htmlspecialchars() does not find all XSS, so they suggest using preg_replace() with some clever patterns.
Using htmlspecialchars() is sufficient to protect against XSS (and possibly messing up of the html structure), htmlentities() just converts more characters into their HTML character entity equivalents (for example ü will become ü)
Current occurences of escaping/sanitizing functions in PMA codebase:
htmlentities() : 51 htmlspecialchars() : 1041 PMA_sanitize() : 40 PMA_sanitize_file() : 3
Also I think we should talk about PMA_sanitize().
Yes, but it should not be used in all cases?
Maybe, but it would be slower than just plain htmlspecialchars(). Also, with the default parameters of PMA_sanitize(), it just replaces "<" and ">" and takes care of our special formatting codes.
On 01/04/12 13:11, Marc Delisle wrote:
Le 2012-03-31 11:02, Dieter Adriaenssens a écrit :
Op 28 maart 2012 14:37 heeft Marc Delisle marc@infomarc.info het volgende geschreven:
Le 2012-03-28 04:53, Michal Čihař a écrit :
Hi
Dne Tue, 27 Mar 2012 22:01:05 +0200 Dieter Adriaenssens dieter.adriaenssens@gmail.com napsal(a):
As discussed on the team meeting in February, I started creating a wiki page with some guidelines for avoiding security bugs [0]. The page is not finished yet, I just set out some ideas, that I will work out in the next few days. Feel free to comment, improve or add guidelines as you see fit.
Thanks, looks great so far!
Yes, thanks. I'm wondering, are there places where we really use htmlentities() for protection?
htmlentities() is not much used (see lower), shall we replace them all by htmlspecialchars and drop the htmlentities() from the guidelines?
It would be more prudent to have a look at them, one by one, and see their exact purpose.
You'd use htmlentities() when you need to escape single quotes, htmlspecialchars() doesn't do that.
E.g.: $name = htmlentities("foo's bar", ENT_QUOTES); echo "<input name='name' value='$name' />";
Anyway, some of them are under libraries/tcpdf and some under /test.
In the PHP Architect guide to PHP security by one of the PHP core developers, I checked the chapter about XSS. I could not find a suggestion to use htmlentities(); however, htmlspecialchars() does not find all XSS, so they suggest using preg_replace() with some clever patterns.
Using htmlspecialchars() is sufficient to protect against XSS (and possibly messing up of the html structure), htmlentities() just converts more characters into their HTML character entity equivalents (for example ü will become ü)
Current occurences of escaping/sanitizing functions in PMA codebase:
htmlentities() : 51 htmlspecialchars() : 1041 PMA_sanitize() : 40 PMA_sanitize_file() : 3
Also I think we should talk about PMA_sanitize().
Yes, but it should not be used in all cases?
Maybe, but it would be slower than just plain htmlspecialchars(). Also, with the default parameters of PMA_sanitize(), it just replaces "<" and ">" and takes care of our special formatting codes.
Le 2012-04-01 13:49, Rouslan Placella a écrit :
On 01/04/12 13:11, Marc Delisle wrote:
Le 2012-03-31 11:02, Dieter Adriaenssens a écrit :
Op 28 maart 2012 14:37 heeft Marc Delisle marc@infomarc.info het volgende geschreven:
Le 2012-03-28 04:53, Michal Čihař a écrit :
Hi
Dne Tue, 27 Mar 2012 22:01:05 +0200 Dieter Adriaenssens dieter.adriaenssens@gmail.com napsal(a):
As discussed on the team meeting in February, I started creating a wiki page with some guidelines for avoiding security bugs [0]. The page is not finished yet, I just set out some ideas, that I will work out in the next few days. Feel free to comment, improve or add guidelines as you see fit.
Thanks, looks great so far!
Yes, thanks. I'm wondering, are there places where we really use htmlentities() for protection?
htmlentities() is not much used (see lower), shall we replace them all by htmlspecialchars and drop the htmlentities() from the guidelines?
It would be more prudent to have a look at them, one by one, and see their exact purpose.
You'd use htmlentities() when you need to escape single quotes, htmlspecialchars() doesn't do that.
From the PHP manual for htmlspecialchars(), we can use the ENT_QUOTES
flag which does this: "'" (single quote) becomes ''' only when ENT_QUOTES is set.
E.g.: $name = htmlentities("foo's bar", ENT_QUOTES); echo "<input name='name' value='$name' />";
Anyway, some of them are under libraries/tcpdf and some under /test.
In the PHP Architect guide to PHP security by one of the PHP core developers, I checked the chapter about XSS. I could not find a suggestion to use htmlentities(); however, htmlspecialchars() does not find all XSS, so they suggest using preg_replace() with some clever patterns.
Using htmlspecialchars() is sufficient to protect against XSS (and possibly messing up of the html structure), htmlentities() just converts more characters into their HTML character entity equivalents (for example ü will become ü)
Current occurences of escaping/sanitizing functions in PMA codebase:
htmlentities() : 51 htmlspecialchars() : 1041 PMA_sanitize() : 40 PMA_sanitize_file() : 3
Also I think we should talk about PMA_sanitize().
Yes, but it should not be used in all cases?
Maybe, but it would be slower than just plain htmlspecialchars(). Also, with the default parameters of PMA_sanitize(), it just replaces "<" and ">" and takes care of our special formatting codes.
2012/4/1 Marc Delisle marc@infomarc.info:
Le 2012-04-01 13:49, Rouslan Placella a écrit :
On 01/04/12 13:11, Marc Delisle wrote:
Le 2012-03-31 11:02, Dieter Adriaenssens a écrit :
Op 28 maart 2012 14:37 heeft Marc Delisle marc@infomarc.info het volgende geschreven:
Le 2012-03-28 04:53, Michal Čihař a écrit :
Hi
Dne Tue, 27 Mar 2012 22:01:05 +0200 Dieter Adriaenssens dieter.adriaenssens@gmail.com napsal(a):
> As discussed on the team meeting in February, I started creating a > wiki page with some guidelines for avoiding security bugs [0]. > The page is not finished yet, I just set out some ideas, that I will > work out in the next few days. Feel free to comment, improve or add > guidelines as you see fit. > > [0] http://wiki.phpmyadmin.net/pma/Security_pitfalls
Thanks, looks great so far!
Yes, thanks. I'm wondering, are there places where we really use htmlentities() for protection?
htmlentities() is not much used (see lower), shall we replace them all by htmlspecialchars and drop the htmlentities() from the guidelines?
It would be more prudent to have a look at them, one by one, and see their exact purpose.
You'd use htmlentities() when you need to escape single quotes, htmlspecialchars() doesn't do that.
From the PHP manual for htmlspecialchars(), we can use the ENT_QUOTES flag which does this: "'" (single quote) becomes ''' only when ENT_QUOTES is set.
I've added the ENT_QUOTES directive to the page and also added some examples for escaping url's and encoding url parameter values.
E.g.: $name = htmlentities("foo's bar", ENT_QUOTES); echo "<input name='name' value='$name' />";
Anyway, some of them are under libraries/tcpdf and some under /test.
In the PHP Architect guide to PHP security by one of the PHP core developers, I checked the chapter about XSS. I could not find a suggestion to use htmlentities(); however, htmlspecialchars() does not find all XSS, so they suggest using preg_replace() with some clever patterns.
Do you have a link to that, or do you own a paper copy?
Using htmlspecialchars() is sufficient to protect against XSS (and possibly messing up of the html structure), htmlentities() just converts more characters into their HTML character entity equivalents (for example ü will become ü)
Current occurences of escaping/sanitizing functions in PMA codebase:
htmlentities() : 51 htmlspecialchars() : 1041 PMA_sanitize() : 40 PMA_sanitize_file() : 3
Also I think we should talk about PMA_sanitize().
Yes, but it should not be used in all cases?
Maybe, but it would be slower than just plain htmlspecialchars(). Also, with the default parameters of PMA_sanitize(), it just replaces "<" and ">" and takes care of our special formatting codes.
-- Marc Delisle http://infomarc.info
This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
Le 2012-04-29 09:34, Dieter Adriaenssens a écrit :
2012/4/1 Marc Delisle marc@infomarc.info:
Le 2012-04-01 13:49, Rouslan Placella a écrit :
On 01/04/12 13:11, Marc Delisle wrote:
Le 2012-03-31 11:02, Dieter Adriaenssens a écrit :
Op 28 maart 2012 14:37 heeft Marc Delisle marc@infomarc.info het volgende geschreven:
Le 2012-03-28 04:53, Michal Čihař a écrit : > Hi > > Dne Tue, 27 Mar 2012 22:01:05 +0200 > Dieter Adriaenssens dieter.adriaenssens@gmail.com napsal(a): > >> As discussed on the team meeting in February, I started creating a >> wiki page with some guidelines for avoiding security bugs [0]. >> The page is not finished yet, I just set out some ideas, that I will >> work out in the next few days. Feel free to comment, improve or add >> guidelines as you see fit. >> >> [0] http://wiki.phpmyadmin.net/pma/Security_pitfalls > > Thanks, looks great so far!
Yes, thanks. I'm wondering, are there places where we really use htmlentities() for protection?
htmlentities() is not much used (see lower), shall we replace them all by htmlspecialchars and drop the htmlentities() from the guidelines?
It would be more prudent to have a look at them, one by one, and see their exact purpose.
You'd use htmlentities() when you need to escape single quotes, htmlspecialchars() doesn't do that.
From the PHP manual for htmlspecialchars(), we can use the ENT_QUOTES flag which does this: "'" (single quote) becomes ''' only when ENT_QUOTES is set.
I've added the ENT_QUOTES directive to the page and also added some examples for escaping url's and encoding url parameter values.
Great.
E.g.: $name = htmlentities("foo's bar", ENT_QUOTES); echo "<input name='name' value='$name' />";
Anyway, some of them are under libraries/tcpdf and some under /test.
In the PHP Architect guide to PHP security by one of the PHP core developers, I checked the chapter about XSS. I could not find a suggestion to use htmlentities(); however, htmlspecialchars() does not find all XSS, so they suggest using preg_replace() with some clever patterns.
Do you have a link to that, or do you own a paper copy?
Sorry, paper copy.
Using htmlspecialchars() is sufficient to protect against XSS (and possibly messing up of the html structure), htmlentities() just converts more characters into their HTML character entity equivalents (for example ü will become ü)
Current occurences of escaping/sanitizing functions in PMA codebase:
htmlentities() : 51 htmlspecialchars() : 1041 PMA_sanitize() : 40 PMA_sanitize_file() : 3
Also I think we should talk about PMA_sanitize().
Yes, but it should not be used in all cases?
Maybe, but it would be slower than just plain htmlspecialchars(). Also, with the default parameters of PMA_sanitize(), it just replaces "<" and ">" and takes care of our special formatting codes.
-
Dieter Adriaenssens -
Marc Delisle -
Michal Čihař -
Rouslan Placella